Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2024, 13:12
Static task
static1
Behavioral task
behavioral1
Sample
fe99ed0c5ffe46f197e558185b171131_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fe99ed0c5ffe46f197e558185b171131_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fe99ed0c5ffe46f197e558185b171131_JaffaCakes118.exe
-
Size
304KB
-
MD5
fe99ed0c5ffe46f197e558185b171131
-
SHA1
65e5036f68787f2e60f66ac6a7e33c32f1488df0
-
SHA256
7b7d6f4d2fb2db2a975be4f417da32cc6fac193f43c13227c87578b6a7993a94
-
SHA512
991b4f7f842096e72a71d0ba5e0c0e353087194ad501bf792999c721e8160be1909a18ddc3de15a273e1d34c917a7851c5485429f005cb87bf460f1fc1be76e5
-
SSDEEP
1536:Yf1zwQVgFpOAuJEklS+bE5hkk+kF56wpcf1zwQVgvxd2+:Y1zwLF8AuJEGbEUk+k5p81zwLvx
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe" userinit.exe -
Executes dropped EXE 64 IoCs
pid Process 2972 userinit.exe 3612 system.exe 3216 system.exe 4128 system.exe 736 system.exe 444 system.exe 2440 system.exe 3348 system.exe 1476 system.exe 1860 system.exe 2024 system.exe 4980 system.exe 3244 system.exe 1716 system.exe 3996 system.exe 4320 system.exe 1248 system.exe 1124 system.exe 4704 system.exe 3604 system.exe 1944 system.exe 4840 system.exe 3124 system.exe 4120 system.exe 1072 system.exe 4648 system.exe 4284 system.exe 944 system.exe 4368 system.exe 4520 system.exe 60 system.exe 1256 system.exe 4984 system.exe 3580 system.exe 4388 system.exe 4288 system.exe 4128 system.exe 2564 system.exe 5044 system.exe 2940 system.exe 1456 system.exe 2452 system.exe 1320 system.exe 1240 system.exe 3516 system.exe 4528 system.exe 2168 system.exe 3716 system.exe 4344 system.exe 2188 system.exe 2584 system.exe 768 system.exe 1736 system.exe 4612 system.exe 2748 system.exe 4668 system.exe 4992 system.exe 2112 system.exe 1160 system.exe 4120 system.exe 4108 system.exe 4304 system.exe 4864 system.exe 772 system.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\system.exe userinit.exe File created C:\Windows\SysWOW64\system.exe userinit.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\userinit.exe fe99ed0c5ffe46f197e558185b171131_JaffaCakes118.exe File created C:\Windows\kdcoms.dll userinit.exe File created C:\Windows\userinit.exe fe99ed0c5ffe46f197e558185b171131_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe99ed0c5ffe46f197e558185b171131_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language userinit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3352 fe99ed0c5ffe46f197e558185b171131_JaffaCakes118.exe 3352 fe99ed0c5ffe46f197e558185b171131_JaffaCakes118.exe 2972 userinit.exe 2972 userinit.exe 2972 userinit.exe 2972 userinit.exe 3612 system.exe 3612 system.exe 2972 userinit.exe 2972 userinit.exe 3216 system.exe 3216 system.exe 2972 userinit.exe 2972 userinit.exe 4128 system.exe 4128 system.exe 2972 userinit.exe 2972 userinit.exe 736 system.exe 736 system.exe 2972 userinit.exe 2972 userinit.exe 444 system.exe 444 system.exe 2972 userinit.exe 2972 userinit.exe 2440 system.exe 2440 system.exe 2972 userinit.exe 2972 userinit.exe 3348 system.exe 3348 system.exe 2972 userinit.exe 2972 userinit.exe 1476 system.exe 1476 system.exe 2972 userinit.exe 2972 userinit.exe 1860 system.exe 1860 system.exe 2972 userinit.exe 2972 userinit.exe 2024 system.exe 2024 system.exe 2972 userinit.exe 2972 userinit.exe 4980 system.exe 4980 system.exe 2972 userinit.exe 2972 userinit.exe 3244 system.exe 3244 system.exe 2972 userinit.exe 2972 userinit.exe 1716 system.exe 1716 system.exe 2972 userinit.exe 2972 userinit.exe 3996 system.exe 3996 system.exe 2972 userinit.exe 2972 userinit.exe 4320 system.exe 4320 system.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2972 userinit.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3352 fe99ed0c5ffe46f197e558185b171131_JaffaCakes118.exe 3352 fe99ed0c5ffe46f197e558185b171131_JaffaCakes118.exe 2972 userinit.exe 2972 userinit.exe 3612 system.exe 3612 system.exe 3216 system.exe 3216 system.exe 4128 system.exe 4128 system.exe 736 system.exe 736 system.exe 444 system.exe 444 system.exe 2440 system.exe 2440 system.exe 3348 system.exe 3348 system.exe 1476 system.exe 1476 system.exe 1860 system.exe 1860 system.exe 2024 system.exe 2024 system.exe 4980 system.exe 4980 system.exe 3244 system.exe 3244 system.exe 1716 system.exe 1716 system.exe 3996 system.exe 3996 system.exe 4320 system.exe 4320 system.exe 1248 system.exe 1248 system.exe 1124 system.exe 1124 system.exe 4704 system.exe 4704 system.exe 3604 system.exe 3604 system.exe 1944 system.exe 1944 system.exe 4840 system.exe 4840 system.exe 3124 system.exe 3124 system.exe 4120 system.exe 4120 system.exe 1072 system.exe 1072 system.exe 4648 system.exe 4648 system.exe 4284 system.exe 4284 system.exe 944 system.exe 944 system.exe 4368 system.exe 4368 system.exe 4520 system.exe 4520 system.exe 60 system.exe 60 system.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3352 wrote to memory of 2972 3352 fe99ed0c5ffe46f197e558185b171131_JaffaCakes118.exe 82 PID 3352 wrote to memory of 2972 3352 fe99ed0c5ffe46f197e558185b171131_JaffaCakes118.exe 82 PID 3352 wrote to memory of 2972 3352 fe99ed0c5ffe46f197e558185b171131_JaffaCakes118.exe 82 PID 2972 wrote to memory of 3612 2972 userinit.exe 85 PID 2972 wrote to memory of 3612 2972 userinit.exe 85 PID 2972 wrote to memory of 3612 2972 userinit.exe 85 PID 2972 wrote to memory of 3216 2972 userinit.exe 88 PID 2972 wrote to memory of 3216 2972 userinit.exe 88 PID 2972 wrote to memory of 3216 2972 userinit.exe 88 PID 2972 wrote to memory of 4128 2972 userinit.exe 89 PID 2972 wrote to memory of 4128 2972 userinit.exe 89 PID 2972 wrote to memory of 4128 2972 userinit.exe 89 PID 2972 wrote to memory of 736 2972 userinit.exe 90 PID 2972 wrote to memory of 736 2972 userinit.exe 90 PID 2972 wrote to memory of 736 2972 userinit.exe 90 PID 2972 wrote to memory of 444 2972 userinit.exe 92 PID 2972 wrote to memory of 444 2972 userinit.exe 92 PID 2972 wrote to memory of 444 2972 userinit.exe 92 PID 2972 wrote to memory of 2440 2972 userinit.exe 93 PID 2972 wrote to memory of 2440 2972 userinit.exe 93 PID 2972 wrote to memory of 2440 2972 userinit.exe 93 PID 2972 wrote to memory of 3348 2972 userinit.exe 94 PID 2972 wrote to memory of 3348 2972 userinit.exe 94 PID 2972 wrote to memory of 3348 2972 userinit.exe 94 PID 2972 wrote to memory of 1476 2972 userinit.exe 97 PID 2972 wrote to memory of 1476 2972 userinit.exe 97 PID 2972 wrote to memory of 1476 2972 userinit.exe 97 PID 2972 wrote to memory of 1860 2972 userinit.exe 98 PID 2972 wrote to memory of 1860 2972 userinit.exe 98 PID 2972 wrote to memory of 1860 2972 userinit.exe 98 PID 2972 wrote to memory of 2024 2972 userinit.exe 99 PID 2972 wrote to memory of 2024 2972 userinit.exe 99 PID 2972 wrote to memory of 2024 2972 userinit.exe 99 PID 2972 wrote to memory of 4980 2972 userinit.exe 100 PID 2972 wrote to memory of 4980 2972 userinit.exe 100 PID 2972 wrote to memory of 4980 2972 userinit.exe 100 PID 2972 wrote to memory of 3244 2972 userinit.exe 101 PID 2972 wrote to memory of 3244 2972 userinit.exe 101 PID 2972 wrote to memory of 3244 2972 userinit.exe 101 PID 2972 wrote to memory of 1716 2972 userinit.exe 102 PID 2972 wrote to memory of 1716 2972 userinit.exe 102 PID 2972 wrote to memory of 1716 2972 userinit.exe 102 PID 2972 wrote to memory of 3996 2972 userinit.exe 103 PID 2972 wrote to memory of 3996 2972 userinit.exe 103 PID 2972 wrote to memory of 3996 2972 userinit.exe 103 PID 2972 wrote to memory of 4320 2972 userinit.exe 104 PID 2972 wrote to memory of 4320 2972 userinit.exe 104 PID 2972 wrote to memory of 4320 2972 userinit.exe 104 PID 2972 wrote to memory of 1248 2972 userinit.exe 105 PID 2972 wrote to memory of 1248 2972 userinit.exe 105 PID 2972 wrote to memory of 1248 2972 userinit.exe 105 PID 2972 wrote to memory of 1124 2972 userinit.exe 106 PID 2972 wrote to memory of 1124 2972 userinit.exe 106 PID 2972 wrote to memory of 1124 2972 userinit.exe 106 PID 2972 wrote to memory of 4704 2972 userinit.exe 107 PID 2972 wrote to memory of 4704 2972 userinit.exe 107 PID 2972 wrote to memory of 4704 2972 userinit.exe 107 PID 2972 wrote to memory of 3604 2972 userinit.exe 108 PID 2972 wrote to memory of 3604 2972 userinit.exe 108 PID 2972 wrote to memory of 3604 2972 userinit.exe 108 PID 2972 wrote to memory of 1944 2972 userinit.exe 109 PID 2972 wrote to memory of 1944 2972 userinit.exe 109 PID 2972 wrote to memory of 1944 2972 userinit.exe 109 PID 2972 wrote to memory of 4840 2972 userinit.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe99ed0c5ffe46f197e558185b171131_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe99ed0c5ffe46f197e558185b171131_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\userinit.exeC:\Windows\userinit.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3612
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3216
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4128
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:736
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:444
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2440
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3348
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1476
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1860
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4980
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3244
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1716
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3996
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4320
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1248
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1124
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4704
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3604
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1944
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4840
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3124
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4120
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1072
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4648
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4284
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:944
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4368
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4520
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:60
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1256
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:4984
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3580
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4388
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:4288
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:4128
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2564
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:5044
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:1456
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2452
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:1320
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:1240
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:3516
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:4528
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:2168
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3716
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4344
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:2188
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2584
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:768
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:1736
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:4612
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:2748
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:4668
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4992
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2112
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:1160
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4120
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4108
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:4304
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4864
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Executes dropped EXE
PID:772
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:364
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:2272
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:4296
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:4264
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:1856
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2104
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:3556
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:4984
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:1808
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:4356
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:100
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:1012
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:5036
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2564
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2948
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:1336
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:2940
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:1100
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2452
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:4372
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:4468
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:3928
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2064
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:3032
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:3852
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:3880
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:3800
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2340
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2316
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:2760
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:4328
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:1404
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:2748
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:1608
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:1944
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:1056
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:4664
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:3224
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:3200
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:1464
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:636
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:536
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:944
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:2764
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:772
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:5060
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2320
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:2184
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:3900
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:4600
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:4376
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:2684
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:1644
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:116
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:100
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:2560
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:1676
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2440
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:1996
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:2640
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:4436
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:4544
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2024
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2896
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:4084
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:4980
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:3824
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:3716
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:4324
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:3880
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:2204
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:4836
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:4068
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:4488
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵PID:1656
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- System Location Discovery: System Language Discovery
PID:3608
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304KB
MD5fe99ed0c5ffe46f197e558185b171131
SHA165e5036f68787f2e60f66ac6a7e33c32f1488df0
SHA2567b7d6f4d2fb2db2a975be4f417da32cc6fac193f43c13227c87578b6a7993a94
SHA512991b4f7f842096e72a71d0ba5e0c0e353087194ad501bf792999c721e8160be1909a18ddc3de15a273e1d34c917a7851c5485429f005cb87bf460f1fc1be76e5